AspNet.Security.OpenIdConnect.Server.刷新令牌 [英] AspNet.Security.OpenIdConnect.Server. Refresh tokens

问题描述

据我所知，ASOS开箱即用地支持刷新令牌.要获取刷新令牌，我需要在令牌请求中添加offline_access范围.但是它们存储在哪里?如何更改令牌的到期日期或将其删除?如何确定为哪个用户创建刷新令牌?

As far as I know ASOS supports refresh tokens out of the box. To get refresh token I need to add offline_access scope to my token request. But where are they stored? How can I change expiration date of the token or delete it? How can I determine for which user refresh token is created?

推荐答案

但是它们存储在哪里?

But where are they stored?

默认情况下，它们不存储在任何地方:它们是独立的.只要用于保护刷新令牌的加密密钥仍位于ASP.NET数据保护密钥环中，它们就可以被ASOS解密并用于发布新的访问令牌.

By default, they are stored nowhere: they are self-contained. As long as the encryption keys used to protect the refresh tokens are still in the ASP.NET Data Protection key ring, they can be decrypted by ASOS and used to issue new access tokens.

如何更改令牌的到期日期?

How can I change expiration date of the token?

可以使用RefreshTokenLifetime属性从选项中全局设置默认到期日期.如果您不提供自己的寿命，则有效期为14天.

The default expiration date can be set globally from the options, using the RefreshTokenLifetime property. If you don't provide your own lifetime, they are valid for 14 days.

请注意，默认情况下也会启用滑动到期，这意味着每次发出新的grant_type=refresh_token请求时，您都会获得一个新的刷新令牌(有效期为14天).您可以通过将UseSlidingExpiration设置为false来禁用滑动到期.

Note that sliding expiration is also enabled by default, which means you get a new refresh token (valid for 14 days) each time you make a new grant_type=refresh_token request. You can disable sliding expiration by setting UseSlidingExpiration to false.

...还是将其删除?

... or delete it?

由于刷新令牌是自包含的，因此无法删除它们.您当然可以考虑通过覆盖SerializeRefreshToken和DeserializeRefreshToken事件来使用自定义标记(例如，与数据库中的条目相对应的唯一字符串)，但是建议的方法是在接收刷新标记请求时将它们简单地视为无效.

Since refresh tokens are self-contained, you can't delete them. You could of course consider using custom tokens (like unique strings corresponding to an entry in a database) by overriding the SerializeRefreshToken and DeserializeRefreshToken events, but the recommended approach is to simply treat them as invalid when receiving a refresh token request.

为此，如果您认为refresh_token被撤销并且不能用于发行新令牌，则可以覆盖HandleTokenRequest事件并调用context.Reject().

For that, you can override the HandleTokenRequest event and call context.Reject() if you consider that a refresh_token was revoked and cannot be used to issue new tokens.

如何确定为哪个用户创建刷新令牌?

How can I determine for which user refresh token is created?

刷新令牌包含创建原始身份验证票证时添加的所有声明，因此，如果添加与用户标识符相对应的sub声明，则可以使用它从以下位置检索用户个人资料数据库.

Refresh tokens contain all the claims you add when creating the original authentication ticket, so if you add a sub claim corresponding to the user identifier, you can use it to retrieve the user profile from the database.

这篇关于AspNet.Security.OpenIdConnect.Server.刷新令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！